Packet Forwarding
Packet-based communication systems such as those based on Ethernet standards and others include network units, which can be both hardware and software based, but usually are a mixture of hardware and software processing, and which, among other actions, perform a lookup on fields including address fields within a packet to obtain ‘forwarding data’ to determine so far as that unit is concerned at least one destination for the packet. Usually the forwarding data is in the form of a bit mask which indicates the port or ports from which the packet or a copy thereof should be sent. The lookup may be based on either ‘layer 2’ (media access control) addresses or ‘layer 3’ (network or IP addresses) or both.
Post-Processing
Before a packet is forwarded from a switch it may be necessary to perform other processing operations which may affect the forwarding of the packet and/or copies thereof. For example, the destination port bitmask may need modification in view of VLAN membership rules, spanning tree rules, or trunking rules. The rules are administered by respective ‘engines’ and a final ‘post-processing engine’ coupled to the various processing engines and the lookup engine produces a final port bit mask.
Transmission Control
In addition to the use of addressing of data packets, network systems usually employ a transmission protocol which is intended, with the aid of a handshake routine and subsequent codified commands and acknowledgements, reliable data transfer, because an address protocol such as IP does not in itself guarantee the deliver of any particular packet. As is indicated above, one such protocol is TCP, which is implemented as far as a network unit is concerned by means of segments encapsulated within packets. A TCP segment normally includes ‘source port’ and destination port’ numbers which provide connection to processes within a sending host and a receiving host, a sequence number, which is the byte stream number of the first byte in the data sent in the segment, an acknowledgement number, which indicates the sequence number of the next byte that the respective host is expecting from the other host, various other fields including one bit ACK, SYN and FIN flags, a header length field and user data.
Memory Space
Network units are usually realized by means of an application-specific integrated circuit (ASIC) which has appropriate terminals or pins for coupling to ports and other external connecting elements. Memory space on an ASIC is necessarily limited and it is usual for the ASIC to supplement a comparatively small internal memory by a substantially larger external, off-chip’ memory, either a static random access memory (SRAM) or a content addressable memory (CAM).
Access Control Lists
Access control lists (ACLs) refer at least in part to protocol data at a higher level than the network layer and represent an additional processing feature which may be used for checking the security of transmission of data and other purposes. If ACL lists are used, then an ACL search has to be performed on each packet to determine whether there is an ACL match. If there is a match then the forwarding action which is determined by the ACL match must be performed instead of the forwarding action determined by the address lookup (as modified as the case may be by the actions of the other processing engines).
An access control list (ACL) may simply consist of a basic ACL, which when relating to TCP normally consists of five fields identifying the IP destination address (IPDA), the IP source address (IPSA), the TCP destination port number, the TCP source port number and the Protocol. However, other ACLs may comprise the basic 5-tuple ACL along with other flags, such as the SYN, FIN, RST flags or other flags or fields. It is preferable to provide at least one ACL per TCP flow direction and desirable to provide a multiplicity of ACLs per flow direction. Each ACL requires an entry in a database, and a basic ACL is quite long; source port and destination port numbers are (currently) two bytes each, network addresses are four bytes each for IPv4 and 16 bytes each for IPv6. Thus it will be apparent that, since memory space is inevitably limited, the more ACLs are required or desirable per flow, the fewer flows with ACLs can be supported.